MasterCard announces that more than 40 million credit card numbers belonging to U.S. consumers have been accessed by a computer hacker and are at risk of being used for fraud; however, company officials can’t say how long the confidential information has been missing. A disgruntled technology employee cracks his former company’s computer system and destroys all payroll and personnel records. A juvenile breaks into hundreds of computers, including some belonging to the U.S. government, and puts adware on each system.
These are true stories. While blatant acts make sensational headlines, some business people still believe their company’s computer systems are safe. They feel that because their operations are small, they are less conspicuous, and therefore less attractive to a would-be techno thief.
That’s not the case, according to security expert Andrew Whitaker.
When it comes to hacking, Whitaker knows his stuff. He is the author of "Penetration Testing and Network Defense" and an instructor at The Training Camp, a multi-location education provider, where he teaches technology professionals how to avoid becoming a victim of cyber crime. In addition, he is known as an "ethical hacker," a consultant who is usually certified by the International Council of E-Commerce Consultants, which companies retain to challenge the security of their computer systems.
"Some hackers will go through a smaller business in order to launch an attack on a bigger company," he said. "Smaller businesses make easier targets."
Being hacked can be costly. The hardware and software components that make up any company’s IT assets require a sizable monetary investment. The same is true for the information stored in the systems. In addition, damage to a company’s reputation following a successful criminal hack can result in public embarrassment and a serious threat to future business and revenue.
Theft of customer data gets big play in the news media and negative reactions from unhappy customers. In fact, one victimized company was hit with a class-action lawsuit when former customers charged that it failed to properly secure their credit card information. This is why ethical hackers, such as Whitaker, are called on to assess the technology of businesses of all sizes and across all industries.
"If you install a burglar alarm in your office, you test it," Whitaker said. "But many companies don’t do that with their (technology) security system. That’s like leaving the front door unlocked."
Automated vulnerability scans are valuable tools, but Whitaker and his code-cracking colleagues in the IT business take security testing one step further. When they do an assessment, they literally break into the company’s system using common hacking software, much of it available for free on the Internet. While breaking into a computer system is a felony in the U.S., hacking by request and under a contract is legal and desirable.
"I try to hack into the system, and I do it exactly like a hacker would do," Whitaker explained. "When I get in, I could steal credit card accounts and then delete them so the crime is not traceable. But instead, I explain how it was done and how to protect the system."
If Whitaker can hack into your system, he won’t fix it. He’ll tell you what is wrong, but you will have to find a different technology pro to repair the problems.
"It’s unethical," he said. "You shouldn’t have the same person who does the assessment fix your system, and you shouldn’t have the person who installs your security do the assessment."
In March, Hannaford Bros. Co. announced that an "illicit and unauthorized computer program" had been secretly installed on servers at each of its 330-plus grocery stores in Maine, Vermont, New Hampshire, Massachusetts and New York.
The bold attack exposed more than 4 million credit and debit card numbers to identity theft, and according to the company, approximately 1,800 known cases of fraud have resulted. Officials did not reveal exactly when or how the incident occurred.
"Over the last few years, we’ve been working to get our networks in place," said Jenny Bullard, chief information officer of Waycross, Ga.-based Flash Foods and a member of the NACS technology council, speaking of the retail industry in general. "And we may not have been as securityconscious as we should have been."
It takes money, time and resources to audit a system and then make the necessary security improvements. Bullard, who overseas the technology systems at 164 Flash Foods stores, is a vocal advocate of taking those precautions on a regular basis. While no retailer likes being dictated to by credit card companies, especially as credit card fees continue rising, "PCI compliance standards are making us all more conscious about security," she said.
Just as banks have regular audits of accounts and procedures, technology systems need periodic checkups to ensure they are still able to protect valuable data. An assessment should be done every year or any time a major technology change takes place, such as the addition of new hardware or major applications.
If a business handles a credit or debit card transaction, it must meet Payment Card Industry (PCI) compliance standards established by the top four card providers: American Express, Discover, MasterCard and Visa.
"PCI Compliance is not a one-time event and people should take it seriously," said Shekar Swamy, president of American Technology Corp., a Philadelphia-based company that helps retailers, including many convenience store chains, meet compliance standards.
Compliance requirements for retailers differ based on the number of transactions they handle on an annual basis. While the standards are not law, they are contractual obligations with the credit card companies, and retailers that fail to comply may be sanctioned or fined. Some fines could be as much as $500,000 per incident.
"The systems of convenience store chains are very complex, probably more complex than say a fashion retailer," said Swamy.
"You must first find out any avenues through which your system can be breached and then put software in place to fix the holes and keep track of when the system was patched. If there is a breech, auditors will want to know that you took protective measures, and if you have a log, you can show them," he said.
A typical assessment may require several days to complete, and some portions of the work may be done outside of normal business hours to simulate a realistic attack. Assessments can be high level or extremely detailed and are priced accordingly. When discussing assessment expenses with a security professional, Whitaker suggests having a budget in mind.
The Same Rules Apply
While smaller businesses don’t have the money that big corporations do to invest in frequent technology testing, they can adopt the same IT rules that corporations require for their employees.
"User education is big," said Whitaker, adding that employees need to understand their part in protecting the employer’s system from unauthorized access. One way employees can do this is through the passwords they use. Passwords that can be easily guessed, such as the employee’s name or the word "password," are a useless form of security.
"Do your employees know not to give out their passwords or to have them on a sticky note stuck to the monitor? All it takes is for one computer in a business’ system to be unprotected for a hacker to succeed. Your server may be secure, but perhaps a work station isn’t," Whitaker said.
Whitaker also advises employers to prohibit indiscriminate downloads of Internet software, music, videos and screensavers to company computers. "If an employee installs a vulnerable game, I can get in and get full access to your network," he said. "The same is true if someone downloads iTunes."
Hacking will always be a problem as long as the black market for stolen credit card numbers and other personal information continues to thrive. However, businesses can take steps to make themselves less vulnerable to would-be thieves.
"Many small retail businesses have lagged behind larger companies that have been doing this for years," Whitaker said of independent security assessments. "But everyone is susceptible."